From 5f7186ce6b4aedde0b60634b84c123e05a733a09 Mon Sep 17 00:00:00 2001 From: Andy Jordan <2226434+andyleejordan@users.noreply.github.com> Date: Thu, 5 Mar 2026 13:42:59 -0800 Subject: [PATCH 01/10] Switch CFS to msazure feed The crux of our problems was the cross-org feed permissions. --- .cargo/config.toml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.cargo/config.toml b/.cargo/config.toml index 511ebe358..39c82a34b 100644 --- a/.cargo/config.toml +++ b/.cargo/config.toml @@ -3,7 +3,10 @@ registry-auth = true [registries] -POWERSHELL = { index = "sparse+https://pkgs.dev.azure.com/powershell/PowerShell/_packaging/powershell/Cargo/index/" } +DSCCargoMirror = { index = "sparse+https://pkgs.dev.azure.com/msazure/One/_packaging/DSCCargoMirror/Cargo/index/" } + +[source.crates-io] +replace-with = "DSCCargoMirror" [registry] global-credential-providers = ["cargo:token"] @@ -36,10 +39,6 @@ rustflags = [ "-Dwarnings" ] -# The following is only needed for release builds -[source.crates-io] -replace-with = "POWERSHELL" - # Enable running `cargo xtask ` [alias] xtask = "run --package xtask --" From f7ee18d6c83a33ea11df3338bbffda2b6963fb37 Mon Sep 17 00:00:00 2001 From: Andy Jordan <2226434+andyleejordan@users.noreply.github.com> Date: Thu, 5 Mar 2026 14:45:27 -0800 Subject: [PATCH 02/10] Update from ms-prod-1.88 to ms-prod-1.93 The version ms-stable stopped being supported in 2024 so we've been on an old toolchain. --- .pipelines/DSC-Official.yml | 6 +++--- .pipelines/DSC-Windows.yml | 2 +- helpers.build.psm1 | 2 +- packaging.ps1 | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.pipelines/DSC-Official.yml b/.pipelines/DSC-Official.yml index 2978e359f..8aaaccd25 100644 --- a/.pipelines/DSC-Official.yml +++ b/.pipelines/DSC-Official.yml @@ -313,7 +313,7 @@ extends: steps: - task: RustInstaller@1 inputs: - rustVersion: ms-stable + rustVersion: ms-prod-1.93 toolchainFeed: $(Rust.SDK) additionalTargets: x86_64-unknown-linux-musl displayName: Install Rust @@ -352,7 +352,7 @@ extends: steps: - task: RustInstaller@1 inputs: - rustVersion: ms-stable + rustVersion: ms-prod-1.93 toolchainFeed: $(Rust.SDK) additionalTargets: aarch64-unknown-linux-musl displayName: Install Rust @@ -420,7 +420,7 @@ extends: steps: - task: RustInstaller@1 inputs: - rustVersion: ms-stable + rustVersion: ms-prod-1.93 toolchainFeed: $(Rust.SDK) additionalTargets: $(buildName) displayName: Install Rust diff --git a/.pipelines/DSC-Windows.yml b/.pipelines/DSC-Windows.yml index 1ede90d8f..7ff7743bb 100644 --- a/.pipelines/DSC-Windows.yml +++ b/.pipelines/DSC-Windows.yml @@ -32,7 +32,7 @@ steps: ob_restore_phase: true - task: RustInstaller@1 inputs: - rustVersion: ms-stable + rustVersion: ms-prod-1.93 toolchainFeed: ${{ parameters.RustSDK }} additionalTargets: ${{ parameters.buildName }} displayName: Install Rust diff --git a/helpers.build.psm1 b/helpers.build.psm1 index 9c9dac003..a99a9e89f 100644 --- a/helpers.build.psm1 +++ b/helpers.build.psm1 @@ -370,7 +370,7 @@ function Get-RustUp { if ($null -ne (Get-Command msrustup -CommandType Application -ErrorAction Ignore)) { Write-Verbose -Verbose "Using msrustup" $rustup = 'msrustup' - $channel = 'ms-stable' + $channel = 'ms-prod-1.93' if ($architecture -eq 'current') { $env:MSRUSTUP_TOOLCHAIN = "$architecture" } diff --git a/packaging.ps1 b/packaging.ps1 index 1932c0428..8c7fb97e1 100755 --- a/packaging.ps1 +++ b/packaging.ps1 @@ -163,7 +163,7 @@ $channel = 'stable' if ($null -ne (Get-Command msrustup -CommandType Application -ErrorAction Ignore)) { Write-Verbose -Verbose "Using msrustup" $rustup = 'msrustup' - $channel = 'ms-stable' + $channel = 'ms-prod-1.93' if ($architecture -eq 'current') { $env:MSRUSTUP_TOOLCHAIN = "$architecture" } From 94d995c0fe71e644fc74d1f56840238dff2e07a0 Mon Sep 17 00:00:00 2001 From: Andy Jordan <2226434+andyleejordan@users.noreply.github.com> Date: Thu, 5 Mar 2026 14:55:40 -0800 Subject: [PATCH 03/10] Switch OneBranch to msazure CFS feed Which removes the need to do complicated authentication. --- .pipelines/DSC-Official.yml | 58 +++++++------------------------------ .pipelines/DSC-Windows.yml | 23 +++------------ 2 files changed, 14 insertions(+), 67 deletions(-) diff --git a/.pipelines/DSC-Official.yml b/.pipelines/DSC-Official.yml index 8aaaccd25..6d773914e 100644 --- a/.pipelines/DSC-Official.yml +++ b/.pipelines/DSC-Official.yml @@ -99,17 +99,6 @@ extends: Write-Host "##$vstsCommandString" name: Package displayName: Set Package Version - - task: AzureCLI@2 - displayName: Get Az Token - inputs: - azureSubscription: PowerShell-CICD-Feed-Access - scriptType: pscore - scriptLocation: inlineScript - inlineScript: | - $token = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv - $vstsCommandString = "vso[task.setvariable variable=AzToken;isoutput=true]$token" - Write-Host "Setting token" - Write-Host "##$vstsCommandString" - job: BuildWin_x64 dependsOn: SetPackageVersion @@ -117,7 +106,6 @@ extends: ob_sdl_tsa_configFile: '$(System.DefaultWorkingDirectory)\.config\tsaoptions.json' ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' signSrcPath: '$(System.DefaultWorkingDirectory)\out' - AzToken: $[ dependencies.SetPackageVersion.outputs['AzToken'] ] ob_sdl_sbom_enabled: true ob_signing_setup_enabled: true ob_sdl_codeql_compiled_enabled: true @@ -129,7 +117,6 @@ extends: buildName: x86_64-pc-windows-msvc signSrcPath: '$(signSrcPath)' PackageRoot: '$(PackageRoot)' - aztoken: '$(AzToken)' rustSDK: '$(Rust.SDK)' - job: BuildWin_arm64 @@ -138,7 +125,6 @@ extends: ob_sdl_tsa_configFile: '$(System.DefaultWorkingDirectory)\.config\tsaoptions.json' ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' signSrcPath: '$(System.DefaultWorkingDirectory)\out' - AzToken: $[ dependencies.SetPackageVersion.outputs['AzToken'] ] ob_sdl_sbom_enabled: true ob_signing_setup_enabled: true ob_sdl_codeql_compiled_enabled: true @@ -150,7 +136,6 @@ extends: buildName: aarch64-pc-windows-msvc signSrcPath: '$(signSrcPath)' PackageRoot: '$(PackageRoot)' - aztoken: '$(AzToken)' rustSDK: '$(Rust.SDK)' - job: CreateMsixBundle @@ -167,7 +152,6 @@ extends: ob_sdl_sbom_enabled: false ob_signing_setup_enabled: false ob_sdl_codeql_compiled_enabled: false - ob_restore_phase: true pool: type: windows steps: @@ -302,7 +286,6 @@ extends: variables: LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' PackageVersion: $[ dependencies.SetPackageVersion.outputs['Package.Version'] ] - AzToken: $[ dependencies.SetPackageVersion.outputs['AzToken'] ] ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' ob_linuxSymbolsPublishing_enabled: true ob_linuxSymbolsPublishing_symbolsFolder: '$(System.DefaultWorkingDirectory)/DSC/bin' @@ -317,14 +300,13 @@ extends: toolchainFeed: $(Rust.SDK) additionalTargets: x86_64-unknown-linux-musl displayName: Install Rust - env: - ob_restore_phase: true + - task: CargoAuthenticate@0 + inputs: + configFile: '.cargo/config.toml' + displayName: Authenticate with Azure Artifacts - pwsh: | apt update apt -y install musl-tools rpm dpkg build-essential protobuf-compiler - $header = "Bearer $(AzToken)" - $env:CARGO_REGISTRIES_POWERSHELL_TOKEN = $header - $env:CARGO_REGISTRIES_POWERSHELL_CREDENTIAL_PROVIDER = 'cargo:token' ./build.ps1 -Release -Architecture x86_64-unknown-linux-musl ./packaging.ps1 -PackageType tgz -Architecture x86_64-unknown-linux-musl -Release ./packaging.ps1 -PackageType rpm -Architecture x86_64-unknown-linux-musl -Release @@ -340,7 +322,6 @@ extends: variables: LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204-arm64:latest' PackageVersion: $[ dependencies.SetPackageVersion.outputs['Package.Version'] ] - AzToken: $[ dependencies.SetPackageVersion.outputs['AzToken'] ] ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' ob_linuxSymbolsPublishing_enabled: true ob_linuxSymbolsPublishing_symbolsFolder: '$(System.DefaultWorkingDirectory)/DSC/bin' @@ -356,16 +337,10 @@ extends: toolchainFeed: $(Rust.SDK) additionalTargets: aarch64-unknown-linux-musl displayName: Install Rust - env: - ob_restore_phase: true - - task: AzureCLI@2 - displayName: Azure CLI + - task: CargoAuthenticate@0 inputs: - azureSubscription: PowerShell-CICD-Feed-Access - scriptType: pscore - scriptLocation: inlineScript - inlineScript: | - az account show + configFile: '.cargo/config.toml' + displayName: Authenticate with Azure Artifacts - pwsh: | $env:CC_aarch64_unknown_linux_musl='clang' $env:AR_aarch64_unknown_linux_musl='llvm-ar' @@ -386,9 +361,6 @@ extends: if ((openssl version -d) -match 'OPENSSLDIR: "(?.*?)"') { $env:OPENSSL_LIB_DIR = $matches['dir'] } - $header = "Bearer $(AzToken)" - $env:CARGO_REGISTRIES_POWERSHELL_TOKEN = $header - $env:CARGO_REGISTRIES_POWERSHELL_CREDENTIAL_PROVIDER = 'cargo:token' ./build.ps1 -Release -Architecture aarch64-unknown-linux-musl ./packaging.ps1 -PackageType tgz -Architecture aarch64-unknown-linux-musl -Release ./packaging.ps1 -PackageType rpm -Architecture aarch64-unknown-linux-musl -Release @@ -403,7 +375,6 @@ extends: dependsOn: SetPackageVersion variables: PackageVersion: $[ dependencies.SetPackageVersion.outputs['Package.Version'] ] - AzToken: $[ dependencies.SetPackageVersion.outputs['AzToken'] ] ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' displayName: BuildMac pool: @@ -424,20 +395,11 @@ extends: toolchainFeed: $(Rust.SDK) additionalTargets: $(buildName) displayName: Install Rust - env: - ob_restore_phase: true - - task: AzureCLI@2 - displayName: Azure CLI + - task: CargoAuthenticate@0 inputs: - azureSubscription: PowerShell-CICD-Feed-Access - scriptType: pscore - scriptLocation: inlineScript - inlineScript: | - az account show + configFile: '.cargo/config.toml' + displayName: Authenticate with Azure Artifacts - pwsh: | - $header = "Bearer $(AzToken)" - $env:CARGO_REGISTRIES_POWERSHELL_TOKEN = $header - $env:CARGO_REGISTRIES_POWERSHELL_CREDENTIAL_PROVIDER = 'cargo:token' Write-Verbose -Verbose "Building for $(buildName)" ./build.ps1 -Release -Architecture $(buildName) ./packaging.ps1 -PackageType tgz -Architecture $(buildName) -Release diff --git a/.pipelines/DSC-Windows.yml b/.pipelines/DSC-Windows.yml index 7ff7743bb..c662a814f 100644 --- a/.pipelines/DSC-Windows.yml +++ b/.pipelines/DSC-Windows.yml @@ -8,40 +8,31 @@ parameters: - name: BuildConfiguration type: string default: Release - - name: aztoken - type: string - name: RustSDK type: string steps: - checkout: self - env: - ob_restore_phase: true - task: CodeQL3000Init@0 # Add CodeQL Init task right before your 'Build' step. inputs: Enabled: true AnalyzeInPipeline: true Language: rust - env: - ob_restore_phase: true - pwsh: | $tmpdir = "$(Agent.TempDirectory)" Write-Host "##vso[task.setvariable variable=CARGO_TARGET_DIR;]$tmpdir" displayName: 🛠️ Workaround for the LoadLibrary ACCESS_VIOLATION OneBranch issue - env: - ob_restore_phase: true - task: RustInstaller@1 inputs: rustVersion: ms-prod-1.93 toolchainFeed: ${{ parameters.RustSDK }} additionalTargets: ${{ parameters.buildName }} displayName: Install Rust - env: - ob_restore_phase: true +- task: CargoAuthenticate@0 + inputs: + configFile: '.cargo/config.toml' + displayName: Authenticate with Azure Artifacts - pwsh: | - $header = "Bearer ${{ parameters.aztoken }}" - $env:CARGO_REGISTRIES_POWERSHELL_TOKEN = $header - $env:CARGO_REGISTRIES_POWERSHELL_CREDENTIAL_PROVIDER = 'cargo:token' Set-Location "$(Build.SourcesDirectory)/DSC" $LLVMBIN = "$($env:PROGRAMFILES)\Microsoft Visual Studio\2022\Enterprise\VC\Tools\Llvm\bin" if (!(Test-Path $LLVMBIN)) { @@ -52,13 +43,9 @@ steps: Write-Verbose -Verbose "Building for ${{ parameters.buildName }}" ./build.ps1 -Release -Architecture ${{ parameters.buildName }} -SkipLinkCheck -Verbose displayName: 'Build ${{ parameters.buildName }}' - env: - ob_restore_phase: true condition: succeeded() - task: CodeQL3000Finalize@0 # Add CodeQL Finalize task right after your 'Build' step. condition: always() - env: - ob_restore_phase: true - pwsh: | $null = New-Item -ItemType Directory -Path "${{ parameters.PackageRoot }}" -ErrorAction Ignore $null = New-Item -ItemType Directory -Path "${{ parameters.PackageRoot }}/out" -ErrorAction Ignore @@ -72,8 +59,6 @@ steps: write-host 'Binaries in ${{ parameters.signSrcPath }}' dir -r "${{ parameters.signSrcPath }}" displayName: Copy built binaries - env: - ob_restore_phase: true condition: succeeded() - task: onebranch.pipeline.signing@1 displayName: Sign 1st party files From 0af5502fe3ca99fcee9a0d2c686674b9ca68d5a3 Mon Sep 17 00:00:00 2001 From: Andy Jordan <2226434+andyleejordan@users.noreply.github.com> Date: Thu, 5 Mar 2026 18:00:49 -0800 Subject: [PATCH 04/10] Remove `-UseCFSAuth` in favor of auto-auth via task (or user setup) --- .github/instructions/instructions.md | 1 - .pipelines/DSC-Windows.yml | 2 +- build.ps1 | 5 ++--- helpers.build.psm1 | 25 +------------------------ packaging.ps1 | 20 +------------------- 5 files changed, 5 insertions(+), 48 deletions(-) diff --git a/.github/instructions/instructions.md b/.github/instructions/instructions.md index 9e263e1dc..3c0d951b2 100644 --- a/.github/instructions/instructions.md +++ b/.github/instructions/instructions.md @@ -416,7 +416,6 @@ The build script automatically installs these. If issues persist: | `-UseCFS` | Switch | Use Component Framework Service | | `-UpdateLockFile` | Switch | Update Cargo.lock file | | `-Audit` | Switch | Run cargo audit for security vulnerabilities | -| `-UseCFSAuth` | Switch | Use CFS authentication | | `-Clean` | Switch | Clean build artifacts before building | | `-CacheRustBuild` | Switch | Cache Rust build artifacts | | `-RustDocs` | Switch | Generate Rust documentation | diff --git a/.pipelines/DSC-Windows.yml b/.pipelines/DSC-Windows.yml index c662a814f..dc4ed60ce 100644 --- a/.pipelines/DSC-Windows.yml +++ b/.pipelines/DSC-Windows.yml @@ -30,7 +30,7 @@ steps: displayName: Install Rust - task: CargoAuthenticate@0 inputs: - configFile: '.cargo/config.toml' + configFile: '$(Build.SourcesDirectory)/DSC/.cargo/config.toml' displayName: Authenticate with Azure Artifacts - pwsh: | Set-Location "$(Build.SourcesDirectory)/DSC" diff --git a/build.ps1 b/build.ps1 index 7479946cb..0f07ca224 100755 --- a/build.ps1 +++ b/build.ps1 @@ -94,7 +94,6 @@ param( [switch]$UseCFS, [switch]$UpdateLockFile, [switch]$Audit, - [switch]$UseCFSAuth, [switch]$Clean, [switch]$CacheRustBuild, [switch]$RustDocs, @@ -113,7 +112,7 @@ begin { Import-Module ./helpers.build.psm1 -Force -Verbose:$false $usingADO = ($null -ne $env:TF_BUILD) - if ($usingADO -or $UseCFSAuth) { + if ($usingADO) { $UseCFS = $true } # Import the build data @@ -183,7 +182,7 @@ process { Write-BuildProgress @progressParams -Status 'Configuring Rust environment' [hashtable]$priorRustEnvironment = Set-RustEnvironment -CacheRustBuild:$CacheRustBuild @VerboseParam Write-BuildProgress @progressParams -Status 'Configuring Cargo environment' - Set-CargoEnvironment -UseCFS:$UseCFS -UseCFSAuth:$UseCFSAuth @VerboseParam + Set-CargoEnvironment -UseCFS:$UseCFS @VerboseParam # Install or update rust if (!$usingADO) { diff --git a/helpers.build.psm1 b/helpers.build.psm1 index a99a9e89f..4e9ce7fba 100644 --- a/helpers.build.psm1 +++ b/helpers.build.psm1 @@ -805,8 +805,7 @@ function Set-CargoEnvironment { #> [cmdletbinding()] param( - [switch]$UseCFS, - [switch]$UseCFSAuth + [switch]$UseCFS ) process { @@ -814,28 +813,6 @@ function Set-CargoEnvironment { Write-Host "Using CFS for cargo source replacement" ${env:CARGO_SOURCE_crates-io_REPLACE_WITH} = $null $env:CARGO_REGISTRIES_CRATESIO_INDEX = $null - - if ($UseCFSAuth) { - if ($null -eq (Get-Command 'az' -ErrorAction Ignore)) { - throw "Azure CLI not found" - } - - if ($null -ne (Get-Command az -ErrorAction Ignore)) { - Write-Host "Getting token" - $accessToken = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv - if ($LASTEXITCODE -ne 0) { - Write-Warning "Failed to get access token, use 'az login' first, or use '-useCratesIO' to use crates.io. Proceeding with anonymous access." - } else { - $header = "Bearer $accessToken" - $env:CARGO_REGISTRIES_POWERSHELL_TOKEN = $header - $env:CARGO_REGISTRIES_POWERSHELL_CREDENTIAL_PROVIDER = 'cargo:token' - $env:CARGO_REGISTRIES_POWERSHELL_INDEX = "sparse+https://pkgs.dev.azure.com/powershell/PowerShell/_packaging/powershell~force-auth/Cargo/index/" - } - } - else { - Write-Warning "Azure CLI not found, proceeding with anonymous access." - } - } } else { # this will override the config.toml Write-Host "Setting CARGO_SOURCE_crates-io_REPLACE_WITH to 'crates-io'" diff --git a/packaging.ps1 b/packaging.ps1 index 8c7fb97e1..ef912eb4e 100755 --- a/packaging.ps1 +++ b/packaging.ps1 @@ -18,7 +18,6 @@ param( [switch]$UseCFS, [switch]$UpdateLockFile, [switch]$Audit, - [switch]$UseCFSAuth, [switch]$Clean, [switch]$Verbose ) @@ -30,7 +29,7 @@ trap { $env:RUSTC_LOG=$null $usingADO = ($null -ne $env:TF_BUILD) -if ($usingADO -or $UseCFSAuth) { +if ($usingADO) { $UseCFS = $true } @@ -178,23 +177,6 @@ if ($null -ne $packageType) { Write-Host "Using CFS for cargo source replacement" ${env:CARGO_SOURCE_crates-io_REPLACE_WITH} = $null $env:CARGO_REGISTRIES_CRATESIO_INDEX = $null - - if ($UseCFSAuth) { - if ($null -eq (Get-Command 'az' -ErrorAction Ignore)) { - throw "Azure CLI not found" - } - - Write-Host "Getting token" - $accessToken = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv - if ($LASTEXITCODE -ne 0) { - Write-Warning "Failed to get access token, use 'az login' first, or use '-useCratesIO' to use crates.io. Proceeding with anonymous access." - } else { - $header = "Bearer $accessToken" - $env:CARGO_REGISTRIES_POWERSHELL_TOKEN = $header - $env:CARGO_REGISTRIES_POWERSHELL_CREDENTIAL_PROVIDER = 'cargo:token' - $env:CARGO_REGISTRIES_POWERSHELL_INDEX = "sparse+https://pkgs.dev.azure.com/powershell/PowerShell/_packaging/powershell~force-auth/Cargo/index/" - } - } } else { # this will override the config.toml Write-Host "Setting CARGO_SOURCE_crates-io_REPLACE_WITH to 'crates-io'" From 0c2974776a63b328ea39748730a15dcbc9c2b1d3 Mon Sep 17 00:00:00 2001 From: Andy Jordan <2226434+andyleejordan@users.noreply.github.com> Date: Thu, 5 Mar 2026 20:39:54 -0800 Subject: [PATCH 05/10] Fix RPM package --- packaging/rpm/dsc.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/packaging/rpm/dsc.spec b/packaging/rpm/dsc.spec index 424283519..76267d725 100644 --- a/packaging/rpm/dsc.spec +++ b/packaging/rpm/dsc.spec @@ -33,6 +33,7 @@ ln -s /opt/dsc/dsc-bicep-ext $RPM_BUILD_ROOT/usr/bin/dsc-bicep-ext %files /opt/dsc/* /usr/bin/dsc +/usr/bin/dsc-bicep-ext %changelog * Wed Oct 22 2025 Microsoft Corporation From 12ac40c2a116925b54a8dc14126fac287cd333dc Mon Sep 17 00:00:00 2001 From: Andy Jordan <2226434+andyleejordan@users.noreply.github.com> Date: Thu, 5 Mar 2026 21:41:23 -0800 Subject: [PATCH 06/10] Clean up pwsh tasks --- .pipelines/DSC-Windows.yml | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/.pipelines/DSC-Windows.yml b/.pipelines/DSC-Windows.yml index dc4ed60ce..ae966da35 100644 --- a/.pipelines/DSC-Windows.yml +++ b/.pipelines/DSC-Windows.yml @@ -33,7 +33,6 @@ steps: configFile: '$(Build.SourcesDirectory)/DSC/.cargo/config.toml' displayName: Authenticate with Azure Artifacts - pwsh: | - Set-Location "$(Build.SourcesDirectory)/DSC" $LLVMBIN = "$($env:PROGRAMFILES)\Microsoft Visual Studio\2022\Enterprise\VC\Tools\Llvm\bin" if (!(Test-Path $LLVMBIN)) { throw "LLVM path '$LLVMBIN' does not exist" @@ -42,8 +41,8 @@ steps: write-verbose -verbose (gcm clang.exe | out-string) Write-Verbose -Verbose "Building for ${{ parameters.buildName }}" ./build.ps1 -Release -Architecture ${{ parameters.buildName }} -SkipLinkCheck -Verbose + workingDirectory: $(Build.SourcesDirectory)/DSC displayName: 'Build ${{ parameters.buildName }}' - condition: succeeded() - task: CodeQL3000Finalize@0 # Add CodeQL Finalize task right after your 'Build' step. condition: always() - pwsh: | @@ -59,7 +58,6 @@ steps: write-host 'Binaries in ${{ parameters.signSrcPath }}' dir -r "${{ parameters.signSrcPath }}" displayName: Copy built binaries - condition: succeeded() - task: onebranch.pipeline.signing@1 displayName: Sign 1st party files inputs: @@ -79,14 +77,12 @@ steps: TargetFolder: $(Build.SourcesDirectory)/DSC/bin/${{ parameters.buildName }}/${{ parameters.BuildConfiguration }} OverWrite: true - pwsh: | - Set-Location "$(Build.SourcesDirectory)/DSC" ./packaging.ps1 -PackageType zip -Architecture ${{ parameters.buildName }} -Release Copy-Item ./bin/*.zip "$(Build.ArtifactStagingDirectory)" -Verbose + workingDirectory: $(Build.SourcesDirectory)/DSC displayName: 'Zip ${{ parameters.buildName }}' - condition: succeeded() - pwsh: | - Set-Location "$(Build.SourcesDirectory)/DSC" ./build.ps1 -PackageType msix -Architecture ${{ parameters.buildName }} -Release -UseX64MakeAppx Copy-Item ./bin/msix/*.msix "$(Build.ArtifactStagingDirectory)" -Verbose + workingDirectory: $(Build.SourcesDirectory)/DSC displayName: 'Create msix for ${{ parameters.buildName }}' - condition: succeeded() From 66bd71d87e721830f4fdc3cf6cc45f72c7332531 Mon Sep 17 00:00:00 2001 From: Andy Jordan <2226434+andyleejordan@users.noreply.github.com> Date: Thu, 5 Mar 2026 21:46:38 -0800 Subject: [PATCH 07/10] Fix path issues by removing redunant checkout step The OneBranch template automatically checks out the repo, doing it again is what messed up CodeQL and signing. --- .pipelines/DSC-Official.yml | 20 +++++--------------- .pipelines/DSC-Windows.yml | 17 +++-------------- 2 files changed, 8 insertions(+), 29 deletions(-) diff --git a/.pipelines/DSC-Official.yml b/.pipelines/DSC-Official.yml index 6d773914e..8e78b4b95 100644 --- a/.pipelines/DSC-Official.yml +++ b/.pipelines/DSC-Official.yml @@ -65,7 +65,6 @@ extends: forStages: [Build] credscan: enabled: true - scanFolder: $(System.DefaultWorkingDirectory) binskim: enabled: true apiscan: @@ -83,17 +82,13 @@ extends: type: windows vmImage: windows-latest variables: - repoRoot: '$(System.DefaultWorkingDirectory)\DSC' - ob_sdl_tsa_configFile: '$(System.DefaultWorkingDirectory)\.config\tsaoptions.json' ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' ob_sdl_sbom_enabled: false ob_signing_setup_enabled: false ob_sdl_codeql_compiled_enabled: false steps: - - checkout: self - pwsh: | - Write-Verbose -Verbose (Get-ChildItem '$(repoRoot)' | Out-String) - $packageVersion = $(repoRoot)/packaging.ps1 -GetPackageVersion + $packageVersion = ./packaging.ps1 -GetPackageVersion $vstsCommandString = "vso[task.setvariable variable=Version;isoutput=true]$packageVersion" Write-Host ("sending " + $vstsCommandString) Write-Host "##$vstsCommandString" @@ -103,7 +98,6 @@ extends: - job: BuildWin_x64 dependsOn: SetPackageVersion variables: - ob_sdl_tsa_configFile: '$(System.DefaultWorkingDirectory)\.config\tsaoptions.json' ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' signSrcPath: '$(System.DefaultWorkingDirectory)\out' ob_sdl_sbom_enabled: true @@ -122,7 +116,6 @@ extends: - job: BuildWin_arm64 dependsOn: SetPackageVersion variables: - ob_sdl_tsa_configFile: '$(System.DefaultWorkingDirectory)\.config\tsaoptions.json' ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' signSrcPath: '$(System.DefaultWorkingDirectory)\out' ob_sdl_sbom_enabled: true @@ -144,9 +137,8 @@ extends: - BuildWin_arm64 variables: ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' - ob_sdl_tsa_configFile: '$(System.DefaultWorkingDirectory)\.config\tsaoptions.json' ob_symbolsPublishing_enabled: true - ob_symbolsPublishing_symbolsFolder: '$(System.DefaultWorkingDirectory)\DSC\bin' + ob_symbolsPublishing_symbolsFolder: '$(Build.SourcesDirectory)\bin' ob_symbolsPublishing_searchPattern: '**/*.pdb' ob_symbolsPublishing_indexSources: true ob_sdl_sbom_enabled: false @@ -155,7 +147,6 @@ extends: pool: type: windows steps: - - checkout: self - download: current artifact: drop_BuildAndSign_BuildWin_x64 patterns: '*.msix' @@ -163,12 +154,11 @@ extends: artifact: drop_BuildAndSign_BuildWin_arm64 patterns: '*.msix' - pwsh: | - Set-Location "$(System.DefaultWorkingDirectory)\DSC" $null = New-Item -ItemType Directory -Path "./bin/msix" -Force -ErrorAction Ignore Copy-Item "$(Pipeline.Workspace)/drop_BuildAndSign_BuildWin_x64/*.msix" ./bin/msix -Verbose Copy-Item "$(Pipeline.Workspace)/drop_BuildAndSign_BuildWin_arm64/*.msix" ./bin/msix -Verbose ./build.ps1 -PackageType msixbundle - Copy-Item "$(System.DefaultWorkingDirectory)/DSC/bin/*.msixbundle" "$(ob_outputDirectory)" + Copy-Item "./bin/*.msixbundle" "$(ob_outputDirectory)" displayName: 'Create msixbundle' condition: succeeded() @@ -288,7 +278,7 @@ extends: PackageVersion: $[ dependencies.SetPackageVersion.outputs['Package.Version'] ] ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' ob_linuxSymbolsPublishing_enabled: true - ob_linuxSymbolsPublishing_symbolsFolder: '$(System.DefaultWorkingDirectory)/DSC/bin' + ob_linuxSymbolsPublishing_symbolsFolder: '$(Build.SourcesDirectory)/bin' ob_linuxSymbolsPublishing_searchPattern: '**/*.dbg' displayName: Linux-x64-musl pool: @@ -324,7 +314,7 @@ extends: PackageVersion: $[ dependencies.SetPackageVersion.outputs['Package.Version'] ] ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' ob_linuxSymbolsPublishing_enabled: true - ob_linuxSymbolsPublishing_symbolsFolder: '$(System.DefaultWorkingDirectory)/DSC/bin' + ob_linuxSymbolsPublishing_symbolsFolder: '$(Build.SourcesDirectory)/bin' ob_linuxSymbolsPublishing_searchPattern: '**/*.dbg' displayName: Linux-ARM64-musl pool: diff --git a/.pipelines/DSC-Windows.yml b/.pipelines/DSC-Windows.yml index ae966da35..812165e76 100644 --- a/.pipelines/DSC-Windows.yml +++ b/.pipelines/DSC-Windows.yml @@ -12,12 +12,6 @@ parameters: type: string steps: -- checkout: self -- task: CodeQL3000Init@0 # Add CodeQL Init task right before your 'Build' step. - inputs: - Enabled: true - AnalyzeInPipeline: true - Language: rust - pwsh: | $tmpdir = "$(Agent.TempDirectory)" Write-Host "##vso[task.setvariable variable=CARGO_TARGET_DIR;]$tmpdir" @@ -30,7 +24,7 @@ steps: displayName: Install Rust - task: CargoAuthenticate@0 inputs: - configFile: '$(Build.SourcesDirectory)/DSC/.cargo/config.toml' + configFile: '.cargo/config.toml' displayName: Authenticate with Azure Artifacts - pwsh: | $LLVMBIN = "$($env:PROGRAMFILES)\Microsoft Visual Studio\2022\Enterprise\VC\Tools\Llvm\bin" @@ -41,10 +35,7 @@ steps: write-verbose -verbose (gcm clang.exe | out-string) Write-Verbose -Verbose "Building for ${{ parameters.buildName }}" ./build.ps1 -Release -Architecture ${{ parameters.buildName }} -SkipLinkCheck -Verbose - workingDirectory: $(Build.SourcesDirectory)/DSC displayName: 'Build ${{ parameters.buildName }}' -- task: CodeQL3000Finalize@0 # Add CodeQL Finalize task right after your 'Build' step. - condition: always() - pwsh: | $null = New-Item -ItemType Directory -Path "${{ parameters.PackageRoot }}" -ErrorAction Ignore $null = New-Item -ItemType Directory -Path "${{ parameters.PackageRoot }}/out" -ErrorAction Ignore @@ -54,7 +45,7 @@ steps: # copy only the exes from the TMP folder since it contains intermediately built files we don't want to sign write-host 'Binaries in ${env:CARGO_TARGET_DIR}' Copy-Item -Path "$env:CARGO_TARGET_DIR/${{ parameters.buildName }}/${{ parameters.BuildConfiguration }}/*.exe" -Destination "${{ parameters.signSrcPath }}" -Verbose - Copy-Item -Path "$(Build.SourcesDirectory)/DSC/bin/${{ parameters.buildName }}/${{ parameters.BuildConfiguration }}/*" -Recurse -Destination "${{ parameters.signSrcPath }}" -Verbose -Force + Copy-Item -Path "./bin/${{ parameters.buildName }}/${{ parameters.BuildConfiguration }}/*" -Recurse -Destination "${{ parameters.signSrcPath }}" -Verbose -Force write-host 'Binaries in ${{ parameters.signSrcPath }}' dir -r "${{ parameters.signSrcPath }}" displayName: Copy built binaries @@ -74,15 +65,13 @@ steps: inputs: SourceFolder: "${{ parameters.signSrcPath }}" Contents: '**' - TargetFolder: $(Build.SourcesDirectory)/DSC/bin/${{ parameters.buildName }}/${{ parameters.BuildConfiguration }} + TargetFolder: ./bin/${{ parameters.buildName }}/${{ parameters.BuildConfiguration }} OverWrite: true - pwsh: | ./packaging.ps1 -PackageType zip -Architecture ${{ parameters.buildName }} -Release Copy-Item ./bin/*.zip "$(Build.ArtifactStagingDirectory)" -Verbose - workingDirectory: $(Build.SourcesDirectory)/DSC displayName: 'Zip ${{ parameters.buildName }}' - pwsh: | ./build.ps1 -PackageType msix -Architecture ${{ parameters.buildName }} -Release -UseX64MakeAppx Copy-Item ./bin/msix/*.msix "$(Build.ArtifactStagingDirectory)" -Verbose - workingDirectory: $(Build.SourcesDirectory)/DSC displayName: 'Create msix for ${{ parameters.buildName }}' From 8727146bdb73dbfbadb189f9dcb613d91cd9ad3a Mon Sep 17 00:00:00 2001 From: Andy Jordan <2226434+andyleejordan@users.noreply.github.com> Date: Fri, 6 Mar 2026 00:01:19 -0800 Subject: [PATCH 08/10] Pass `-UseX64MakeAppx` to fix MSIX build --- build.ps1 | 9 +++++---- helpers.build.psm1 | 16 ++++++++++++---- 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/build.ps1 b/build.ps1 index 0f07ca224..918d90236 100755 --- a/build.ps1 +++ b/build.ps1 @@ -299,10 +299,11 @@ process { if (-not [string]::IsNullOrEmpty($PackageType)) { $progressParams.Activity = "Packaging" $packageParams = @{ - BuildData = $BuildData - PackageType = $PackageType - Architecture = $Architecture - Release = $Release + BuildData = $BuildData + PackageType = $PackageType + Architecture = $Architecture + Release = $Release + UseX64MakeAppx = $UseX64MakeAppx } Write-BuildProgress @progressParams Build-DscPackage @packageParams @VerboseParam diff --git a/helpers.build.psm1 b/helpers.build.psm1 index 4e9ce7fba..c86775385 100644 --- a/helpers.build.psm1 +++ b/helpers.build.psm1 @@ -1209,7 +1209,12 @@ function Update-PathEnvironment { } } -function Find-MakeAppx() { +function Find-MakeAppx { + [CmdletBinding()] + param( + [switch]$UseX64MakeAppx + ) + $makeappx = Get-Command makeappx -CommandType Application -ErrorAction Ignore if ($null -eq $makeappx) { # try to find @@ -1786,7 +1791,8 @@ function Build-DscMsixPackage { 'x86_64-unknown-linux-musl' )] $Architecture = 'current', - [switch]$Release + [switch]$Release, + [switch]$UseX64MakeAppx ) begin { @@ -1803,7 +1809,7 @@ function Build-DscMsixPackage { $productVersion = Get-DscCliVersion $isPrivate = $packageType -eq 'msix-private' $isPreview = $productVersion -like '*-*' - $makeappx = Find-MakeAppx + $makeappx = Find-MakeAppx -UseX64MakeAppx:$UseX64MakeAppx $makepri = Get-Item (Join-Path $makeappx.Directory "makepri.exe") -ErrorAction Stop } @@ -2144,7 +2150,8 @@ function Build-DscPackage { 'x86_64-unknown-linux-musl' )] $Architecture = 'current', - [switch]$Release + [switch]$Release, + [switch]$UseX64MakeAppx ) begin { @@ -2159,6 +2166,7 @@ function Build-DscPackage { ArtifactDirectory = $artifactDirectory Architecture = $Architecture Release = $Release + UseX64MakeAppx = $UseX64MakeAppx } } From 18e5ba80968ff19abce7922e6c6a21635bc9de2a Mon Sep 17 00:00:00 2001 From: Andy Jordan <2226434+andyleejordan@users.noreply.github.com> Date: Fri, 6 Mar 2026 08:49:37 -0800 Subject: [PATCH 09/10] Fix symbol publishing It never worked on Linux in the first place, so disable that. On Windows it needs to be where we built, not where we're packaging the MSIX (and so have lost our sources and symbols). --- .pipelines/DSC-Official.yml | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/.pipelines/DSC-Official.yml b/.pipelines/DSC-Official.yml index 8e78b4b95..44da5e15d 100644 --- a/.pipelines/DSC-Official.yml +++ b/.pipelines/DSC-Official.yml @@ -103,6 +103,8 @@ extends: ob_sdl_sbom_enabled: true ob_signing_setup_enabled: true ob_sdl_codeql_compiled_enabled: true + ob_symbolsPublishing_enabled: true + ob_symbolsPublishing_indexSources: true pool: type: windows steps: @@ -121,6 +123,8 @@ extends: ob_sdl_sbom_enabled: true ob_signing_setup_enabled: true ob_sdl_codeql_compiled_enabled: true + ob_symbolsPublishing_enabled: true + ob_symbolsPublishing_indexSources: true pool: type: windows steps: @@ -137,10 +141,6 @@ extends: - BuildWin_arm64 variables: ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' - ob_symbolsPublishing_enabled: true - ob_symbolsPublishing_symbolsFolder: '$(Build.SourcesDirectory)\bin' - ob_symbolsPublishing_searchPattern: '**/*.pdb' - ob_symbolsPublishing_indexSources: true ob_sdl_sbom_enabled: false ob_signing_setup_enabled: false ob_sdl_codeql_compiled_enabled: false @@ -277,9 +277,6 @@ extends: LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204:latest' PackageVersion: $[ dependencies.SetPackageVersion.outputs['Package.Version'] ] ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' - ob_linuxSymbolsPublishing_enabled: true - ob_linuxSymbolsPublishing_symbolsFolder: '$(Build.SourcesDirectory)/bin' - ob_linuxSymbolsPublishing_searchPattern: '**/*.dbg' displayName: Linux-x64-musl pool: type: linux @@ -313,9 +310,6 @@ extends: LinuxContainerImage: 'onebranch.azurecr.io/linux/ubuntu-2204-arm64:latest' PackageVersion: $[ dependencies.SetPackageVersion.outputs['Package.Version'] ] ob_outputDirectory: '$(Build.ArtifactStagingDirectory)' - ob_linuxSymbolsPublishing_enabled: true - ob_linuxSymbolsPublishing_symbolsFolder: '$(Build.SourcesDirectory)/bin' - ob_linuxSymbolsPublishing_searchPattern: '**/*.dbg' displayName: Linux-ARM64-musl pool: type: linux From c79a48d92851539d74f92906c365a30f36aca010 Mon Sep 17 00:00:00 2001 From: Andy Jordan <2226434+andyleejordan@users.noreply.github.com> Date: Fri, 6 Mar 2026 10:12:47 -0800 Subject: [PATCH 10/10] Fix msixbundle path We were assuming this was bin root (like in the old package script). --- .pipelines/DSC-Official.yml | 2 +- helpers.build.psm1 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/DSC-Official.yml b/.pipelines/DSC-Official.yml index 44da5e15d..af5506be1 100644 --- a/.pipelines/DSC-Official.yml +++ b/.pipelines/DSC-Official.yml @@ -157,7 +157,7 @@ extends: $null = New-Item -ItemType Directory -Path "./bin/msix" -Force -ErrorAction Ignore Copy-Item "$(Pipeline.Workspace)/drop_BuildAndSign_BuildWin_x64/*.msix" ./bin/msix -Verbose Copy-Item "$(Pipeline.Workspace)/drop_BuildAndSign_BuildWin_arm64/*.msix" ./bin/msix -Verbose - ./build.ps1 -PackageType msixbundle + ./build.ps1 -Release -PackageType msixbundle Copy-Item "./bin/*.msixbundle" "$(ob_outputDirectory)" displayName: 'Create msixbundle' condition: succeeded() diff --git a/helpers.build.psm1 b/helpers.build.psm1 index c86775385..b577a284c 100644 --- a/helpers.build.psm1 +++ b/helpers.build.psm1 @@ -1819,7 +1819,7 @@ function Build-DscMsixPackage { $msixArguments = @( 'bundle' '/d', $artifactDirectory.MsixBundle - '/p', "$($artifactDirectory.Bin)\$packageName.msixbundle" + '/p', "$($artifactDirectory.BinRoot)\$packageName.msixbundle" ) & $makeappx @msixArguments return